Judge orders sex harassment plaintiffs to produce Facebook passwords

Women suing an employer for sexual harassment will have to provide a court official with their social media and e-mail passwords. The novel procedure was announced by a Colorado federal magistrate judge earlier this month. Wendy Cabrera is the lead plaintiff in a lawsuit against the Honeybaked Ham Company. She and about 20 other women charge that company manager James Jackman "frequently" groped women under his supervision and made sexual requests of them. The woman say the corporate office failed to take action to stop his behavior after it was reported.

Honeybaked Ham argues it needs copies of certain Facebook postings, e-mails, text messages, and other private communications of the plaintiffs in order to defend itself. For example, the company says Cabrera discussed "her financial expectations in this lawsuit" on her Facebook page, which the company says could be useful to establish the plaintiff's motive. The firm also said she posted a picture of Cabrera wearing "a shirt with the word 'CUNT' in large letters written across the front." The defense argues this picture is relevant to the case because Cabrera has charged the word was "used pejoratively against her," and caused her offense.

That's not even all of it. Honeybaked Ham says it will need "other writings addressing her positive outlook on how her life was post-termination, her self-described sexual aggressiveness, statements about actions she engaged in as a supervisor with Defendant, sexually amorous communications with other class members, her post-termination employment and income opportunities and financial condition." And it wants similar information from the other women participating as plaintiffs in the lawsuit.

In a November 7 order recently spotted by Venkat Balasubramani, Magistrate Judge Michael E. Hegarty acknowledged much of the information sought by Honeybaked Ham is potentially relevant to the lawsuit. He noted "the whole area of social media presents thorny and novel issues with which courts are only now coming to grips." However, he said "the fact that [information] exists in cyberspace on an electronic device is a logistical and, perhaps, financial problem, but not a circumstance that removes the information from accessibility by a party opponent in litigation."

So Judge Hegarty announced he will appoint a "special master" to oversee the process of producing this evidence. He then ordered all the women who signed onto the lawsuit to give the special master access to their cell phones, "necessary information to access any social media websites used," and "necessary information to access any e-mail account or Web blog or similar/related electronically accessed Internet or remote location used for communication with others or posting communications or pictures" since 2009.

Once the information has been produced, the judge will decide which information is relevant to the lawsuit, give the plaintiffs a chance to object to the disclosures, and then turn over appropriate information to the defendants. The costs of this process will be split between the plaintiffs and defendant.

Balasubramani, an attorney who contributes to Eric Goldman's Technology and Marketing Law Blog, is not a fan of this arrangement. "Requiring disclosure of passwords should be completely off the list" of techniques courts use during the discovery process, he argued. "Apart from the fact that this results in disclosure of or access to the entire contents of the account (including information that is not relevant or information that is covered by the Stored Communications Act) it may result in unwitting changes to the account." Instead, Balasubramani recommends that parties be compelled to export data from sites like Facebook and provide the exported data to the court.

Why not subpoena Facebook and order them to disclose the relevant info? Requiring the plaintiffs to divulge their passwords to the court doesn't seem like a very good practice.

Because Facebook is a non-party to the case which should not have to shoulder any burden related to its disposition. Of course, if they provided a simple data-export mechanism like Google does for most services, and like they are probably gearing up to do in the EU, that would make the process much easier.

That's one heckuva fishing expedition in the defendants' favor. This just seems like a gigantic overreach of the courts. I mean, if the defense had knowledge that the plaintiffs had written postcards to one another with content relevant to the case, would the judge authorize an agent to go through the entire contents of the plaintiffs' homes and sift through it all on the off chance there was more evidence the defense could use?

Because Facebook is a non-party to the case which should not have to shoulder any burden related to its disposition. Of course, if they provided a simple data-export mechanism like Google does for most services, and like they are probably gearing up to do in the EU, that would make the process much easier.

This assumes FB doesn't have an export mechanism, when I'd say it's much more likely that FB doesn't make available to the public an export mechanism.

As in my phone records example, I can't go to my phone company's web site and click to export all calls and texts and things I've gotten in the last year, but you can bet they have a way in case the feds come looking for me.

....This makes me uncomfortable. I'm not sure how else such easily faked digital data can be archived for trial use as evidence; with things like fakeiphonetext.com getting the data directly from the users would be problematic. Other than this particular order, you'd likely need to subpoena the records from the hosting services - Facebook or the cell phone companies themselves. I think that's what Balasubramani is suggesting, and that certainly more normal - though admittedly, it incurs an additional cost on an innocent third party that would need to be managed.

IME, (I do e-discovery software some at work), this would normally be coming from the servers, filtered as to relevance electronically and then by hand by a lawyer (either domestically, or was accepted starting last year, overseas). I have to agree with Balasubramani, in particular that providing passwords allows not just read access but write access to those accounts. Given people's re-use of passwords, this could also be a security risks for all other user accounts across all social media, shopping, banking, medical and IRS sites. At a minimum this should require starting with "Step 1: change your password to something generic. Step 2: give this information to..."

Maybe social media in general should have to be able to provide some sort of time-restircted read-only accounts to allow viewing of this sort of data under court order. Facebook et al should be able to create such a secondary account without having to do significant work, though at that point, it might be easier to do the record dump from the server as is currently the norm.

Why don't they just order the plaintiff to produce the material from the email and social accounts? Just have them print it out. Isn't this what they've done for electronic records for at least the past decade?

That's one heckuva fishing expedition in the defendants' favor. This just seems like a gigantic overreach of the courts. I mean, if the defense had knowledge that the plaintiffs had written postcards to one another with content relevant to the case, would the judge authorize an agent to go through the entire contents of the plaintiffs' homes and sift through it all on the off chance there was more evidence the defense could use?

Generally, if you "knowingly expose" something to a group of people, you no longer have an expectation of privacy when it comes to that thing. It's not all cut and dried, but something posted on FB to a large number of people would probably not be considered private information, even if your employer wasn't on your friends list.

The data Honey Baked Ham is asking for seems to be quite invasive and broadly over aggressive. It also seems to me if the plaintiffs have to provide such information, why shouldn't the defendant have to provide similar information? Honey Baked Ham seems to be using the discovery process to punish the plaintiffs for daring to bring suit against them. Regardless of other factors, Honey Baked Ham seems willing to paint itself as a company willing to continue abuse of people it is accused of sexually harassing as employees. This is the sort of thing I remember when I'm out shopping.

The data Honey Baked Ham is asking for seems to be quite invasive and broadly over aggressive. It also seems to me if the plaintiffs have to provide such information, why shouldn't the defendant have to provide similar information? Honey Baked Ham seems to be using the discovery process to punish the plaintiffs for daring to bring suit against them. Regardless of other factors, Honey Baked Ham seems willing to paint itself as a company willing to continue abuse of people it is accused of sexually harassing as employees. This is the sort of thing I remember when I'm out shopping.

Burden of proof lies with the plaintiff in a case like this (they are the ones making the accusation, after all, it falls to them to prove it). That falls both ways, if they have evidence against and for the defendant, both are equally valid. You can't pick and choose what you are willing to show a court, that would be ridiculous. The plaintiffs will have a chance to object to disclosure of any information discovered this way, and the judge will have to overrule them for it to be disclosed.

Mind you, the defendant in some cases would also have to disclose such information, although it depends on the nature of the information (Fifth Amendment being what it is, you cannot force a defendant to disclose information that would prove them guilty, but if the information is already "public" it might not be protected).

If part of your lawsuit claims your hugely offended by being called a C, and you posted a picture of yourself wearing a shirt that says C on Facebook, that seems relevant to me.

Either way, isn't asking for the password, or an export of the data, silly? Can't the user just delete the data before providing access? It seems the only way to get all the relevant data would be from Facebook itself.

Why does this judge think that obtaining these women's FB passwords is necessary for this discovery? That seems rather stupid to me. As if he doesn't understand basic computer and Internet security. Maybe someone from "Windows Technical Support" should call him up to explain.

This assumes FB doesn't have an export mechanism, when I'd say it's much more likely that FB doesn't make available to the public an export mechanism.

As in my phone records example, I can't go to my phone company's web site and click to export all calls and texts and things I've gotten in the last year, but you can bet they have a way in case the feds come looking for me.

Corporate accounts can, so that definitively answers that question.

Count me into the "subpoena Facebook" camp. They wouldn't have to shoulder any burden, because in a civil suit they would be compensated for their labor, and if the defendants want the information badly enough, they'll pay. With a database that large and subpoenae constantly coming in from police investigations anyway, I'm sure they could just click a button and have the entire account's past activity on a memory stick in seconds, deleted or not.

What would the court do with passwords if the data was deleted? There's no way to undelete or even see deleted posts from the Facebook UI, even though they still internally track it and support can undelete it if you can get them to care long enough.

The data Honey Baked Ham is asking for seems to be quite invasive and broadly over aggressive.

How is asking for something one publishes publicly "invasive"? Is it "invasive" to read a billboard or a newspaper?

mstrcat wrote:

It also seems to me if the plaintiffs have to provide such information, why shouldn't the defendant have to provide similar information?

I'm sure if HBH had a post on their FB that said "we love to sexually harass employees" and then claimed in court that they don't, it would be relevant and would be entered as evidence. I don't expect that's the case, so this isn't really relevant.

mstrcat wrote:

Honey Baked Ham seems to be using the discovery process to punish the plaintiffs for daring to bring suit against them.

By asking for access to evidence? That's pretty much standard procedure, the court doesn't just trust everyone involved to be all on the up and up. Asking for access to something published semi-publicly isn't punishment, and if it feels like punishment to the person who wrote it, they probably shouldn't have written it as they obviously don't stand behind it.

mstrcat wrote:

Regardless of other factors, Honey Baked Ham seems willing to paint itself as a company willing to continue abuse of people it is accused of sexually harassing as employees. This is the sort of thing I remember when I'm out shopping.

I'm sure they miss your ham order and will probably be broke by this time next year.

Either way, isn't asking for the password, or an export of the data, silly? Can't the user just delete the data before providing access? It seems the only way to get all the relevant data would be from Facebook itself.

Destroying evidence opens you up to criminal charges, rather than just losing the case you brought. There's losing, and there's losing big.

If part of your lawsuit claims your hugely offended by being called a C, and you posted a picture of yourself wearing a shirt that says C on Facebook, that seems relevant to me.

Her choice of t-shirt, obnoxious as it is, does not negate the illegality of the alleged harassment.

No, but it speaks to how offended she was or wasn't, which influences potential damages. If I fall off a ladder at work and claim I'm injured, my employer can rightfully argue that my playing basketball the next day proves I'm not THAT injured.

It means if *any of my friends* are *accused* of a sexual harassment, everything I share with friends will be seen by a bunch of people I don't know, and I won't even be notified that it's happening.

No, it's worse than that. If any of your friends are PLAINTIFFS, who use the courts to protect their rights, all their communication will be published. That's right: even if they are the ACTUAL VICTIM of harassment, it now requires a court ordered fishing trip by hostile corporate lawyers to even start that suit.

The data Honey Baked Ham is asking for seems to be quite invasive and broadly over aggressive. It also seems to me if the plaintiffs have to provide such information, why shouldn't the defendant have to provide similar information? Honey Baked Ham seems to be using the discovery process to punish the plaintiffs for daring to bring suit against them. Regardless of other factors, Honey Baked Ham seems willing to paint itself as a company willing to continue abuse of people it is accused of sexually harassing as employees. This is the sort of thing I remember when I'm out shopping.

How is seeking discovery continued abuse? If you sue someone, you've got to expect that they're going to defend themselves. If a plaintiff is going around posting stuff related to the case on Facebook, it would be malpractice for Honey Baked Ham's lawyers to not try to obtain that information. There's nothing abusive about it.

No, but it speaks to how offended she was or wasn't, which influences potential damages. If I fall off a ladder at work and claim I'm injured, my employer can rightfully argue that my playing basketball the next day proves I'm not THAT injured.

Those are two radically different scenarios. I might often refer to myself as a redneck. That wouldn't make it any less offensive if some ignorant git called me that. The word itself doesn't have to be mortally offensive standing alone for it to be used in an offensive and demeaning by someone. Additionally, I fail to see what her sex drive has to do with whether or not she can be sexually harassed.

With that dispensed, as far as the article is concerned, my issue is with requiring disclosure of the password. That's bad precedent (not in the legal sense, the colloquial sense). I have less of an issue with requiring disclosure of some sort in the first place. For now the only person who will see the content is the judge. I think that asking Facebook directly is indeed the best way to go. AFAIK, they are like the cell carriers in that they have existing procedures and price lists for the disclosure of data to law enforcement.

In the criminal cases, defendants have a constitutional right to confront their accusers. In the civil cases, similar concept also apply. I don't see thing anything wrong with the defendant vigorously defend itself.

As mentioned before, several layers of protections had already been build into the process, in camera review, chance to file objection, and chance for Interlocutory Appeal if things doesn't go their way before any information is being turned over to the defense/entered into record. And there will also be chance to file motion in limine to exlcude them from being presented at trial.

Seems very standard discovery procedures for me, just because it involves Facebook doesn't make it noteworthy.

If part of your lawsuit claims your hugely offended by being called a C, and you posted a picture of yourself wearing a shirt that says C on Facebook, that seems relevant to me.

Her choice of t-shirt, obnoxious as it is, does not negate the illegality of the alleged harassment.

No, but it speaks to how offended she was or wasn't, which influences potential damages. If I fall off a ladder at work and claim I'm injured, my employer can rightfully argue that my playing basketball the next day proves I'm not THAT injured.

That makes no sense.

Let's say you have a fat, disgusting female boss that smells like bologna on most days. Day in and day out, between staring at your crotch while licking her pimento-stained lips, occasionally feeling your ass when you're in the elevator together, etc. she also starts calling you a 'dick' whenever you point out your displeasure with her actions. You might find that offensive, likely both because you don't necessarily see yourself as that much of a dick to be called that by your boss, and because largely, you're not a dick.

Perhaps outside the workplace you sometimes go out with your friends. You might argue over something and one of your friends calls you a 'dick'. You call him a dick right back and no feelings are hurt, no one is suing anyone. Maybe you even have a sense of humor, and at some point in your early college days, you bought stupid t-shirts: "free mustache rides", Led Zeppelin retro t's, "RELAX", and maybe, just because you were such a witty little scamp, you bought the self-effacing chick-magnet T that reads "dick". Someone even has a picture of you wearing it on Facebook.

Does it follow that as part of the long list of things you sue Fatty McBolognaBreath over should NOT be her calling you a 'dick'? Can you explain how that logic works and how someone calling you a dick and you having worn a shirt with that word on it somehow means you don't mind your boss routinely calling you a dick when you tell her to stop cupping your supple buttocks?

Why not subpoena Facebook and order them to disclose the relevant info? Requiring the plaintiffs to divulge their passwords to the court doesn't seem like a very good practice.

I wonder the same thing. Courts have no problem granting subpoenas for your bank records, phone records, etc., but they can't subpoena Facebook for some reason?

There's also a data integrity issue with using the user's passwords. If they were smart, they created a Facebook Group to discuss all this stuff, and then all left the group, thus deleting the group, before the case was filed. Any such discussions would not be visible to the Special Master with a password, but would likely be accessible via subpoena.

What would be funny is if Facebook then deleted their accounts for ToS violations related to giving out their passwords.

It would, except that Facebook never really seem to delete anything at all.

I'm with the people who say they should be subpoenaing Facebook. Requiring anybody to disclose their passwords and other credentials for anything at all is just a really, really bad idea. And a violation of the ToS of almost everything, as pointed out.

From the sound of the information they're digging for, it seems like they're going to try to make the case that at least one of these women was 'asking for it'. I maybe leaping to conclusions based on insufficient information, but that's really rather disgusting.

If part of your lawsuit claims your hugely offended by being called a C, and you posted a picture of yourself wearing a shirt that says C on Facebook, that seems relevant to me.

Her choice of t-shirt, obnoxious as it is, does not negate the illegality of the alleged harassment.

No, but it speaks to how offended she was or wasn't, which influences potential damages. If I fall off a ladder at work and claim I'm injured, my employer can rightfully argue that my playing basketball the next day proves I'm not THAT injured.

No, it really doesn't speak to how offended she was or wasn't. I have a gay friend who I am very close with. If he does something particularly stereotypically gay and call him a fag, it isn't offensive. If my best friend, who is a women, ask me how she looks after changing and I give her two thumbs up and tell her "fantastically slutty", it isn't offensive. Why? I have a relationship with both of these people where we can sling back and forth normally offensive language because we are confident that the other person is joking. If either one of these people had their fucking boss say such things, especially on a regular basis, they would quit their jobs.

Context is everything, which is why we should all hate lawyers.

A woman can wear a cunt shirt with certain people and in certain places, and still be offended and pissed if her boss calls her a cunt.

Timothy B. Lee / Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.